Oracle Blog

Friday Aug 10, 2012

Oracle today released Security Alert CVE-2012-3132 to address a vulnerability affecting the Oracle Database Server, which was publicly disclosed at BlackHat 2012.With a CVSS Base Score of 6.5, this vulnerability involves the ‘INDEXTYPE CTXSYS.CONTEXT’, and if successfully exploited, can allow a malicious attacker to gain ‘SYS’ privileges.This vulnerability does not affect 11gR2 databases which have applied the July 2012 Critical Patch Update.Note that this vulnerability is not remotely exploitable without authentication, in other words, the attacker needs to a have credentials and specific privileges, including the ‘Create Table’ privilege, in order to create the exploit conditions.Oracle recommends that organizations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet.

As much as possible, it is important that organizations use the most current product versions available to them.As stated in each Critical Patch Update and Security Alert Advisory, Oracle does not generally test for the presence of the vulnerabilities fixed through the Critical Patch Update and Security Alert programs in releases of affected product lines that are no longer supported.However, it is likely that these vulnerabilities exist in previously released, but no longer supported releases of the affected products.In a previous blog entry, I discussed Oracle’s security fixing policies, and recommended that customers remain on current releases in order to take advantage of Oracle’s ongoing security assurance effort.This Security Alert, along with all recently released Critical Patch Updates, is an example of the importance of keeping up with newer and actively supported releases.Customers on unsupported versions, unless they have purchased Extended Support under the Lifetime Support Policy, will not receive a permanent fix for the release they are running.

It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing.

Monday Apr 30, 2012

Oracle just released Security Alert CVE-2012-1675 to address the “TNS Listener Poison Attack” in the Oracle Database. With a CVSS Base Score of 7.5, this vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database.

In the April 2012 Critical Patch Update, Oracle provided Security-in-Depth recognition to Joxean Koret. As stated in the Critical Patch Update advisories, “People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.”

As stated in previous blog entries, Oracle fixes vulnerability first in the main code line, and then tries to backport fixes through the Critical Patch Update program for exploitable vulnerabilities that were externally reported. In certain instances, such backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix (for example when user interaction is required to change configuration parameters).

Shortly after the release of the Critical Patch Update, mistakenly assuming that the issue had been backported through the CPU, Joxean Koret, the initial reporter of this vulnerability, fully disclosed its details, initially stating that it had been fixed by Oracle, then after realizing that it had not been fixed in current releases, reported the vulnerability as a “0-day.”

As a result of this disclosure, Oracle has issued Security Alert CVE-2012-1675 to provide customers with a number of technical measures to provide effective defense against this vulnerability in all deployment scenarios.

Customers on single-node configurations (i.e., non Real Application Cluster (RAC) customers) should refer to the My Oracle Support Note titled “Using Class of Secure Transport (COST) to Restrict Instance Registration” (Doc ID 1453883.1) to limit registration to the local node and the IPC protocol through the COST (Class Of Secure Transport) feature in the listener.

Note that implementing COST restrictions in RAC environments require the use of SSL/TLS encryption. Such network encryption features were previously only available to customers who were licensed for Oracle Advanced Security. However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers the use of these features (namely SSL and TLS) to protect themselves against vulnerability CVE-2012-1675. In other words, Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options, and added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters.

Considering that the technical details of vulnerability CVE-2012-1675 have now widely been distributed, Oracle highly recommends that customers make the configuration changes documented in the above mentioned My Oracle Support Notes as soon as possible. Customers should also feel free to contact Oracle Support if they have questions or concerns.